diff options
Diffstat (limited to 'tests/test_xmlrpc/test_selinuxusermap_plugin.py')
-rw-r--r-- | tests/test_xmlrpc/test_selinuxusermap_plugin.py | 934 |
1 files changed, 0 insertions, 934 deletions
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py deleted file mode 100644 index ad3cb3465..000000000 --- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py +++ /dev/null @@ -1,934 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2011 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -""" -Test the `ipalib/plugins/selinuxusermap.py` module. -""" - -from ipalib import api, errors -from tests.test_xmlrpc import objectclasses -from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid -from ipapython.dn import DN -from tests.util import Fuzzy - -rule1 = u'selinuxrule1' -selinuxuser1 = u'guest_u:s0' -selinuxuser2 = u'xguest_u:s0' - -user1 = u'tuser1' -group1 = u'testgroup1' -host1 = u'testhost1.%s' % api.env.domain -hostdn1 = DN(('fqdn', host1), ('cn', 'computers'), ('cn', 'accounts'), - api.env.basedn) -hbacrule1 = u'testhbacrule1' -hbacrule2 = u'testhbacrule12' - -# Note (?i) at the beginning of the regexp is the ingnore case flag -fuzzy_selinuxusermapdn = Fuzzy( - '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}' - '-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s' - % (api.env.container_selinux, api.env.basedn) -) -fuzzy_hbacruledn = Fuzzy( - '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}' - '-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s' - % (api.env.container_hbac, api.env.basedn) -) - -allow_all_rule_dn = api.Command['hbacrule_show'](u'allow_all')['result']['dn'] - - -class test_selinuxusermap(Declarative): - cleanup_commands = [ - ('selinuxusermap_del', [rule1], {}), - ('group_del', [group1], {}), - ('user_del', [user1], {}), - ('host_del', [host1], {}), - ('hbacrule_del', [hbacrule1], {}), - ('hbacrule_del', [hbacrule2], {}), - ] - - tests = [ - - dict( - desc='Try to retrieve non-existent %r' % rule1, - command=('selinuxusermap_show', [rule1], {}), - expected=errors.NotFound( - reason=u'%s: SELinux User Map rule not found' % rule1), - ), - - - dict( - desc='Try to update non-existent %r' % rule1, - command=('selinuxusermap_mod', [rule1], dict(description=u'Foo')), - expected=errors.NotFound( - reason=u'%s: SELinux User Map rule not found' % rule1), - ), - - - dict( - desc='Try to delete non-existent %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=errors.NotFound( - reason=u'%s: SELinux User Map rule not found' % rule1), - ), - - - dict( - desc='Create rule %r' % rule1, - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1) - ), - expected=dict( - value=rule1, - summary=u'Added SELinux User Map "%s"' % rule1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser1], - objectclass=objectclasses.selinuxusermap, - ipauniqueid=[fuzzy_uuid], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ), - ), - - - dict( - desc='Try to create duplicate %r' % rule1, - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1) - ), - expected=errors.DuplicateEntry(message=u'SELinux User Map rule ' + - u'with name "%s" already exists' % rule1), - ), - - - dict( - desc='Retrieve rule %r' % rule1, - command=('selinuxusermap_show', [rule1], {}), - expected=dict( - value=rule1, - summary=None, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser1], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ), - ), - - - dict( - desc='Update rule %r' % rule1, - command=( - 'selinuxusermap_mod', [rule1], - dict(ipaselinuxuser=selinuxuser2) - ), - expected=dict( - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - ), - summary=u'Modified SELinux User Map "%s"' % rule1, - value=rule1, - ), - ), - - - dict( - desc='Retrieve %r to verify update' % rule1, - command=('selinuxusermap_show', [rule1], {}), - expected=dict( - value=rule1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - summary=None, - ), - ), - - - dict( - desc='Search for rule %r' % rule1, - command=('selinuxusermap_find', [], dict(cn=rule1)), - expected=dict( - count=1, - truncated=False, - result=[ - dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ], - summary=u'1 SELinux User Map matched', - ), - ), - - - ############### - # Create additional entries needed for testing - dict( - desc='Create %r' % user1, - command=( - 'user_add', [], dict(givenname=u'Test', sn=u'User1') - ), - expected=dict( - value=user1, - summary=u'Added user "%s"' % user1, - result=dict( - gecos=[u'Test User1'], - givenname=[u'Test'], - homedirectory=[u'/home/%s' % user1], - krbprincipalname=[u'%s@%s' % (user1, api.env.realm)], - loginshell=[u'/bin/sh'], - objectclass=objectclasses.user, - sn=[u'User1'], - uid=[user1], - uidnumber=[fuzzy_digits], - gidnumber=[fuzzy_digits], - mail=[u'%s@%s' % (user1, api.env.domain)], - displayname=[u'Test User1'], - cn=[u'Test User1'], - initials=[u'TU'], - ipauniqueid=[fuzzy_uuid], - krbpwdpolicyreference=[DN(('cn', 'global_policy'), - ('cn', api.env.realm), - ('cn', 'kerberos'), - api.env.basedn) - ], - mepmanagedentry=[DN(('cn', user1), ('cn', 'groups'), - ('cn', 'accounts'), api.env.basedn)], - memberof_group=[u'ipausers'], - dn=DN(('uid', user1), ('cn', 'users'), ('cn', 'accounts'), - api.env.basedn), - has_keytab=False, - has_password=False, - ), - ), - ), - - dict( - desc='Create group %r' % group1, - command=( - 'group_add', [group1], dict(description=u'Test desc 1') - ), - expected=dict( - value=group1, - summary=u'Added group "%s"' % group1, - result=dict( - cn=[group1], - description=[u'Test desc 1'], - gidnumber=[fuzzy_digits], - objectclass=objectclasses.group + [u'posixgroup'], - ipauniqueid=[fuzzy_uuid], - dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), - api.env.basedn), - ), - ), - ), - - - dict( - desc='Add member %r to %r' % (user1, group1), - command=( - 'group_add_member', [group1], dict(user=user1) - ), - expected=dict( - completed=1, - failed=dict( - member=dict( - group=tuple(), - user=tuple(), - ), - ), - result={ - 'dn': DN(('cn', group1), ('cn', 'groups'), - ('cn', 'accounts'), api.env.basedn), - 'member_user': (user1,), - 'gidnumber': [fuzzy_digits], - 'cn': [group1], - 'description': [u'Test desc 1'], - }, - ), - ), - - - dict( - desc='Create host %r' % host1, - command=('host_add', [host1], - dict( - description=u'Test host 1', - l=u'Undisclosed location 1', - force=True, - ), - ), - expected=dict( - value=host1, - summary=u'Added host "%s"' % host1, - result=dict( - dn=hostdn1, - fqdn=[host1], - description=[u'Test host 1'], - l=[u'Undisclosed location 1'], - krbprincipalname=[u'host/%s@%s' % (host1, api.env.realm)], - objectclass=objectclasses.host, - ipauniqueid=[fuzzy_uuid], - managedby_host=[host1], - has_keytab=False, - has_password=False, - ), - ), - ), - - - dict( - desc='Create HBAC rule %r' % hbacrule1, - command=( - 'hbacrule_add', [hbacrule1], {} - ), - expected=dict( - value=hbacrule1, - summary=u'Added HBAC rule "%s"' % hbacrule1, - result=dict( - cn=[hbacrule1], - objectclass=objectclasses.hbacrule, - ipauniqueid=[fuzzy_uuid], - accessruletype=[u'allow'], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_hbacruledn, - ), - ), - ), - - - dict( - desc='Create HBAC rule %r' % hbacrule2, - command=( - 'hbacrule_add', [hbacrule2], {} - ), - expected=dict( - value=hbacrule2, - summary=u'Added HBAC rule "%s"' % hbacrule2, - result=dict( - cn=[hbacrule2], - objectclass=objectclasses.hbacrule, - ipauniqueid=[fuzzy_uuid], - accessruletype=[u'allow'], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_hbacruledn, - ), - ), - ), - - - ############### - # Fill out rule with members and/or pointers to HBAC rules - dict( - desc='Add user to %r' % rule1, - command=('selinuxusermap_add_user', [rule1], dict(user=user1)), - expected=dict( - failed=dict(memberuser=dict(group=[], user=[])), - completed=1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - memberuser_user=[user1], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Add non-existent user to %r' % rule1, - command=('selinuxusermap_add_user', [rule1], - dict(user=u'notfound')), - expected=dict( - failed=dict( - memberuser=dict(group=[], - user=[(u'notfound', u'no such entry')]) - ), - completed=0, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - memberuser_user=[user1], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Remove user from %r' % rule1, - command=('selinuxusermap_remove_user', [rule1], dict(user=user1)), - expected=dict( - failed=dict(memberuser=dict(group=[], user=[])), - completed=1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Remove non-existent user to %r' % rule1, - command=('selinuxusermap_remove_user', [rule1], - dict(user=u'notfound')), - expected=dict( - failed=dict( - memberuser=dict(group=[], - user=[(u'notfound', u'This entry is not a member')] - ) - ), - completed=0, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Add group to %r' % rule1, - command=('selinuxusermap_add_user', [rule1], dict(group=group1)), - expected=dict( - failed=dict(memberuser=dict(group=[], user=[])), - completed=1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - memberuser_group=[group1], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Add host to %r' % rule1, - command=('selinuxusermap_add_host', [rule1], dict(host=host1)), - expected=dict( - failed=dict(memberhost=dict(hostgroup=[], host=[])), - completed=1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - memberhost_host=[host1], - memberuser_group=[group1], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - ############### - # Test enabling and disabling - dict( - desc='Disable %r' % rule1, - command=('selinuxusermap_disable', [rule1], {}), - expected=dict( - result=True, - value=rule1, - summary=u'Disabled SELinux User Map "%s"' % rule1, - ) - ), - - - dict( - desc='Disable %r again' % rule1, - command=('selinuxusermap_disable', [rule1], {}), - expected=errors.AlreadyInactive(), - ), - - - dict( - desc='Enable %r' % rule1, - command=('selinuxusermap_enable', [rule1], {}), - expected=dict( - result=True, - value=rule1, - summary=u'Enabled SELinux User Map "%s"' % rule1, - ) - ), - - - dict( - desc='Re-enable %r again' % rule1, - command=('selinuxusermap_enable', [rule1], {}), - expected=errors.AlreadyActive(), - ), - - - # Point to an HBAC Rule - dict( - desc='Add an HBAC rule to %r that has other members' % rule1, - command=( - 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - - dict( - desc='Remove host from %r' % rule1, - command=('selinuxusermap_remove_host', [rule1], dict(host=host1)), - expected=dict( - failed=dict(memberhost=dict(hostgroup=[], host=[])), - completed=1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - memberuser_group=[group1], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Remove group from %r' % rule1, - command=('selinuxusermap_remove_user', [rule1], - dict(group=group1)), - expected=dict( - failed=dict(memberuser=dict(group=[], user=[])), - completed=1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ) - ), - - - dict( - desc='Add non-existent HBAC rule to %r' % rule1, - command=( - 'selinuxusermap_mod', [rule1], dict(seealso=u'notfound') - ), - expected=errors.NotFound( - reason=u'HBAC rule notfound not found'), - ), - - - dict( - desc='Add an HBAC rule to %r' % rule1, - command=( - 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) - ), - expected=dict( - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser2], - ipaenabledflag=[u'TRUE'], - seealso=hbacrule1, - ), - summary=u'Modified SELinux User Map "%s"' % rule1, - value=rule1, - ), - ), - - - dict( - desc='Add user to %r that has HBAC' % rule1, - command=('selinuxusermap_add_user', [rule1], dict(user=user1)), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - - dict( - desc='Add host to %r that has HBAC' % rule1, - command=('selinuxusermap_add_host', [rule1], dict(host=host1)), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - - dict( - desc='Try to delete HBAC rule pointed to by %r' % rule1, - command=('hbacrule_del', [hbacrule1], {}), - expected=errors.DependentEntry(key=hbacrule1, - label=u'SELinux User Map', dependent=rule1) - ), - - - # This tests selinuxusermap-find --hbacrule=<foo> returns an - # exact match - dict( - desc='Try to delete similarly named HBAC rule %r' % hbacrule2, - command=('hbacrule_del', [hbacrule2], {}), - expected=dict( - result=dict(failed=u''), - value=hbacrule2, - summary=u'Deleted HBAC rule "%s"' % hbacrule2, - ) - ), - - - # Test clean up - dict( - desc='Delete %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=dict( - result=dict(failed=u''), - value=rule1, - summary=u'Deleted SELinux User Map "%s"' % rule1, - ) - ), - - - dict( - desc='Try to delete non-existent %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=errors.NotFound( - reason=u'%s: SELinux User Map rule not found' % rule1), - ), - - - # Some negative tests - dict( - desc='Create rule with unknown user %r' % rule1, - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=u'notfound:s0:c0') - ), - expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 ' + - u'not found in ordering list (in config)'), - ), - - - dict( - desc='Create rule with invalid user bad+user', - command=( - 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'bad+user') - ), - expected=errors.ValidationError(name='selinuxuser', - error=u'Invalid SELinux user name, only a-Z and _ are allowed' - ), - ), - - - dict( - desc='Create rule with invalid MCS xguest_u:s999', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=u'xguest_u:s999') - ), - expected=errors.ValidationError(name='selinuxuser', - error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), - ), - - - dict( - desc='Create rule with invalid MLS xguest_u:s0:p88', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=u'xguest_u:s0:p88') - ), - expected=errors.ValidationError(name='selinuxuser', - error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + - u'and/or c[0-1023]-c[0-c0123]'), - ), - - - dict( - desc='Create rule with invalid MLS xguest_u:s0:c0.c1028', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028') - ), - expected=errors.ValidationError(name='selinuxuser', - error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + - u'and/or c[0-1023]-c[0-c0123]'), - ), - - - dict( - desc='Create rule with invalid user via setattr', - command=( - 'selinuxusermap_mod', [rule1], - dict(setattr=u'ipaselinuxuser=deny') - ), - expected=errors.ValidationError(name='ipaselinuxuser', - error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), - ), - - dict( - desc='Create rule with both --hbacrule and --usercat set', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1, - seealso=hbacrule1, - usercategory=u'all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Create rule with both --hbacrule and --hostcat set', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1, - seealso=hbacrule1, - hostcategory=u'all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Create rule with both --hbacrule ' - 'and --usercat set via setattr', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1, - seealso=hbacrule1, - setattr=u'usercategory=all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Create rule with both --hbacrule ' - 'and --hostcat set via setattr', - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1, - seealso=hbacrule1, - setattr=u'hostcategory=all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Create rule %r with --hbacrule' % rule1, - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1) - ), - expected=dict( - value=rule1, - summary=u'Added SELinux User Map "%s"' % rule1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser1], - objectclass=objectclasses.selinuxusermap, - ipauniqueid=[fuzzy_uuid], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - seealso=hbacrule1 - ), - ), - ), - - dict( - desc='Add an --usercat to %r that has HBAC set' % rule1, - command=( - 'selinuxusermap_mod', [rule1], dict(usercategory=u'all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Add an --hostcat to %r that has HBAC set' % rule1, - command=( - 'selinuxusermap_mod', [rule1], dict(hostcategory=u'all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Add an usercat via setattr to %r that has HBAC set' % rule1, - command=( - 'selinuxusermap_mod', [rule1], - dict(setattr=u'usercategory=all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Add an hostcat via setattr to %r that has HBAC set' % rule1, - command=( - 'selinuxusermap_mod', [rule1], - dict(setattr=u'hostcategory=all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Delete %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=dict( - result=dict(failed=u''), - value=rule1, - summary=u'Deleted SELinux User Map "%s"' % rule1, - ) - ), - - dict( - desc='Create rule %r with usercat and hostcat set' % rule1, - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1, - usercategory=u'all', - hostcategory=u'all') - ), - expected=dict( - value=rule1, - summary=u'Added SELinux User Map "%s"' % rule1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser1], - objectclass=objectclasses.selinuxusermap, - ipauniqueid=[fuzzy_uuid], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - usercategory=[u'all'], - hostcategory=[u'all'] - ), - ), - ), - - dict( - desc='Add HBAC rule to %r that has usercat and hostcat' % rule1, - command=( - 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Delete %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=dict( - result=dict(failed=u''), - value=rule1, - summary=u'Deleted SELinux User Map "%s"' % rule1, - ) - ), - - dict( - desc='Create rule %r' % rule1, - command=( - 'selinuxusermap_add', [rule1], - dict(ipaselinuxuser=selinuxuser1) - ), - expected=dict( - value=rule1, - summary=u'Added SELinux User Map "%s"' % rule1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser1], - objectclass=objectclasses.selinuxusermap, - ipauniqueid=[fuzzy_uuid], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - ), - ), - ), - - dict( - desc='Add HBAC rule, hostcat and usercat to %r' % rule1, - command=( - 'selinuxusermap_mod', [rule1], - dict(seealso=hbacrule1, - usercategory=u'all', - hostcategory=u'all') - ), - expected=errors.MutuallyExclusiveError( - reason=u'HBAC rule and local members cannot both be set'), - ), - - dict( - desc='Delete %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=dict( - result=dict(failed=u''), - value=rule1, - summary=u'Deleted SELinux User Map "%s"' % rule1, - ) - ), - - dict( - desc='Create rule %r with ' - '--setattr=seealso=<allow_all rule DN>' % rule1, - command=( - 'selinuxusermap_add', - [rule1], - dict(ipaselinuxuser=selinuxuser1, - setattr=u'seealso=%s' % allow_all_rule_dn) - ), - expected=dict( - value=rule1, - summary=u'Added SELinux User Map "%s"' % rule1, - result=dict( - cn=[rule1], - ipaselinuxuser=[selinuxuser1], - objectclass=objectclasses.selinuxusermap, - ipauniqueid=[fuzzy_uuid], - ipaenabledflag=[u'TRUE'], - dn=fuzzy_selinuxusermapdn, - seealso=u'allow_all', - ), - ), - ), - - dict( - desc='Delete %r' % rule1, - command=('selinuxusermap_del', [rule1], {}), - expected=dict( - result=dict(failed=u''), - value=rule1, - summary=u'Deleted SELinux User Map "%s"' % rule1, - ) - ), - ] |